feat: Bump Pack versions and update release #49
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Build and Publish Extractor Pack | |
| on: | |
| push: | |
| branches: ["main"] | |
| workflow_dispatch: | |
| permissions: | |
| contents: write | |
| packages: write | |
| jobs: | |
| release-check: | |
| runs-on: ubuntu-latest | |
| outputs: | |
| release: ${{ steps.get_version.outputs.release }} | |
| version: ${{ steps.get_version.outputs.version }} | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - name: "Check release version" | |
| id: get_version | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| run: | | |
| set -e | |
| pip install yq | |
| current_version=$(cat .release.yml | yq -r ".version") | |
| released_version=$(gh api -H "Accept: application/vnd.github+json" -H "X-GitHub-Api-Version: 2022-11-28" /repos/:owner/:repo/releases/latest | jq -r ".tag_name") | |
| if [[ "$current_version" == "NA" || "$current_version" == "$released_version" ]]; then | |
| echo "No new release found" | |
| echo "release=false" >> "$GITHUB_OUTPUT" | |
| else | |
| echo "New release found" | |
| echo "version=$current_version" >> "$GITHUB_OUTPUT" | |
| echo "release=true" >> "$GITHUB_OUTPUT" | |
| fi | |
| compile: | |
| name: "Compile Extractor Pack for ${{ matrix.os }}" | |
| needs: [release-check] | |
| runs-on: ${{ matrix.os }} | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| # TODO: Add windows-latest | |
| os: [ubuntu-latest, macos-latest] | |
| if: ${{ needs.release-check.outputs.release == 'true' }} | |
| steps: | |
| - name: "Checkout" | |
| uses: actions/checkout@v4 | |
| with: | |
| submodules: true | |
| - name: "Set up Rust" | |
| uses: dtolnay/rust-toolchain@nightly | |
| if: ${{ matrix.os != 'windows-latest' }} | |
| - name: "Build Extractor" | |
| if: ${{ matrix.os != 'windows-latest' }} | |
| env: | |
| GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| run: ./scripts/create-extractor-pack.sh | |
| - name: "Upload bundle artifact" | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| name: "extractor-bundle-${{ matrix.os }}" | |
| path: "./extractor-pack" | |
| bundle: | |
| name: "Bundle Extractor Pack" | |
| runs-on: ubuntu-latest | |
| needs: [compile] | |
| if: ${{ needs.release-check.outputs.release == 'true' }} | |
| steps: | |
| - name: "Checkout" | |
| uses: actions/checkout@v4 | |
| with: | |
| submodules: true | |
| - name: "Downloadd all artifacts" | |
| uses: actions/download-artifact@v4 | |
| with: | |
| path: "./extractor-pack" | |
| merge-multiple: true | |
| - name: "Publish Extractor Pack" | |
| if: github.ref == 'refs/heads/main' | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| EXTRACTOR_NAME: "bicep" | |
| run: | | |
| ./scripts/publish-extractor-pack.sh | |
| queries: | |
| runs-on: ubuntu-latest | |
| needs: [release-check] | |
| if: ${{ needs.release-check.outputs.release == 'true' }} | |
| permissions: | |
| contents: read | |
| packages: write | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| packs: ["lib", "src"] | |
| steps: | |
| - name: "Checkout" | |
| uses: actions/checkout@v4 | |
| - name: "Check and Publish CodeQL Packs" | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| PACKS: ${{ matrix.packs }} | |
| ORG: ${{ github.repository_owner }} | |
| run: | | |
| set -e | |
| PACK_PATH="ql/${PACKS}/qlpack.yml" | |
| echo "[+] Pack Path :: $PACK_PATH" | |
| CURRENT_VERSION=$(grep version $PACK_PATH | awk '{print $2}') | |
| PACK_FULLNAME=$(cat $PACK_PATH | grep "name:" | awk '{print $2}') | |
| PACK_NAME=$(echo $PACK_FULLNAME | awk -F '/' '{print $2}') | |
| echo "[+] Pack Name :: $PACK_NAME ($PACK_FULLNAME)" | |
| PUBLISHED_VERSION=$(gh api /orgs/${ORG}/packages/container/$PACK_NAME/versions --jq '.[0].metadata.container.tags[0]') | |
| echo "Packs :: ${CURRENT_VERSION} -> ${PUBLISHED_VERSION}" | |
| if [ "$PUBLISHED_VERSION" != "$CURRENT_VERSION" ]; then | |
| gh extension install github/gh-codeql | |
| gh codeql pack install "ql/${PACKS}" | |
| gh codeql pack publish "ql/${PACKS}" | |
| fi |